One of the common issues you could get when setting up WSO2 API Manager in a clustered setup is "failure due to Unclassified Authentication Failure" error when invoking the api.
WARN APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
This error happens when the gateway node fails to validate the token. Following are some of the tips you could use to debug this issue
1. Check the errors in KeyManager node.
First thing you should do is to see if there are any errors in the Keymanager error logs. If there are errors, then we could rule out the connection related issues from Gateway to Keymanager node.
2. Check configurations.
There could be configuration issue in <APIKeyValidator> section in api-manager.xml file in both servers. Check the urls and see whether they point to the correct endpoint. Aslo check whether <KeyValidatorClientType> property is same in both gateway and keymanager. You could swith the client type (WSClient or ThriftClient) and check as well. (Need to configure the thrift ports correctly)
3. Enable debug logs
Add following entries to the log4j.properties in repository/conf file in the given node
In gateway node
log4j.logger.org.wso2.carbon.apimgt.gateway.handlers.security=DEBUG
In keymanager node
log4j.logger.org.wso2.carbon.apimgt.keymgt=DEBUG
From these logs you could get more idea on the issue happening
WARN APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
This error happens when the gateway node fails to validate the token. Following are some of the tips you could use to debug this issue
1. Check the errors in KeyManager node.
First thing you should do is to see if there are any errors in the Keymanager error logs. If there are errors, then we could rule out the connection related issues from Gateway to Keymanager node.
2. Check configurations.
There could be configuration issue in <APIKeyValidator> section in api-manager.xml file in both servers. Check the urls and see whether they point to the correct endpoint. Aslo check whether <KeyValidatorClientType> property is same in both gateway and keymanager. You could swith the client type (WSClient or ThriftClient) and check as well. (Need to configure the thrift ports correctly)
3. Enable debug logs
Add following entries to the log4j.properties in repository/conf file in the given node
In gateway node
log4j.logger.org.wso2.carbon.apimgt.gateway.handlers.security=DEBUG
In keymanager node
log4j.logger.org.wso2.carbon.apimgt.keymgt=DEBUG
From these logs you could get more idea on the issue happening